The Year of the GDPR: 2018’s Most Famous Privacy Regulation in Review

The Year of the GDPR: 2018’s Most Famous Privacy Regulation in Review

To the extent that 260-page regulations can ever be said to be “famous,” Europe’s General Data Protection Regulation (GDPR) certainly had its moment in limelight in 2018. When it came into force on May 25, it was heralded by a flurry of emails from tech companies, desperate to re-establish their absolutely bona-fide relationships with your email address before the regulations’ stricter rules around user consent came into force.

The barely-concealed panic in some corners led to editorials, memes, and even a meditation app that marketed itself (presumably in compliance with the GDPR) by offering to lull its users to sleep with spoken excerpts from the law.

Did the GDPR live up to the year’s hype, good or bad? As Premier Zhou Enlai didn’t quite say about the French Revolution, it’s too early to say. There are plenty of ways that the GDPR can help with defending privacy online, but the real proof of the GDPR’s provisions will be in how they are enforced, and against whom. And those patterns will only emerge as European regulators begin to flex their new powers.

They have quite the backlog already. Hours after the GDPR came into effect, Max Schrems (2016 EFF Pioneer Award winner, and the successful challenger of the EU’s privacy safe harbor with the United States) filed a series of complaints in his home country of Austria. Aimed at Google, Instagram, WhatsApp and Facebook, the cases revolve around the claim that these services gave customers no real choice in accepting the new privacy policies – which would be a breach of the tougher GDPR rules. In November, Privacy International filed another series of complaints aimed at the practices of Europe’s leading data-brokers, credit agencies, and ad-tech companies. It wasn’t just non-profits: the company behind the Brave browser also filed a GDPR complaint in Ireland, challenging the basis of the modern online advertising business.

We’re waiting for the results of those complaints, and their inevitable appeals. Even without key enforcement decisions, GDPR’s broad popularity has already prompted regulators and lawmakers around the world to increase their oversight of personal data. In Italy, it was competition regulators that fined Facebook ten million euros for misleading its users over its personal data practices. Brazil passed its own GDPR-style law this year; Chile amended its constitution to include data protection rights; and India’s lawmakers introduced a draft of a wide-ranging new legal privacy framework.

The GDPR increases fines and the ability of regulators to intervene on behalf of potential privacy violations – but with great power can come great irresponsibility. If you’ve seen how copyright law can be twisted to turn into an engine for censorship and surveillance, it will have come as no surprise when Romanian authorities attempted to use the GDPR’s wide powers to threaten journalists investigating corruption in the country. The EU body in charge of the GDPR, the European Data Protection Supervisor, has yet to publicly comment on what is happening in Romania, but it’s a vivid reminder that even the most well-intentioned laws can have unimagined consequences.

This article is part of our Year in Review series. Read other articles about the fight for digital rights in 2018.

Related Updates

Throughout 2018, new surveillance practices continued to erode the privacy of people in Latin America. Yet local and regional digital rights organizations continue to push back with strategic litigation, journalists and security researchers investigate to shed light on government use of malware, and local activists work tirelessly to fight overarching...

EFF is introducing a new Coders' Rights project to connect the work of security research with the fundamental rights of its practitioners throughout the Americas. The project seeks to support the right of free expression that lies at the heart of researchers' creations and use of computer code to...

On September 13, after a five-year legal battle, the European Court of Human Rights said that the UK government’s surveillance regime—which includes the country’s mass surveillance programs, methods, laws, and judges—violated the human rights to privacy and to freedom of expression. The court’s opinion is the culmination of lawsuits...

Anyone looking at their inbox in the last few months might think that the Internet companies have collectively returned from a term-of-service writers' retreat. Company after company seem to have simultaneously decided that your privacy is tremendously important to them, and collectively beg you take a look at their updated...

U.S. President Donald Trump’s $1.3 trillion government spending bill, signed March 23rd, offered 2,323 pages of budgeting on issues ranging from domestic drug policy to defense. The last-minute rush to fund the U.S. government through this all-or-nothing “omnibus” presented legislators with a golden opportunity to insert policies that would escape...

InternetLab, the Brazilian independent research center, has published their third edition of “Quem Defende Seus Dados?" (Who defends your data?"), an annual report which evaluates the practices of their local Internet Service Providers (ISPs), and how they treat their customers’ personal data when the government demands it...

Because the global Internet carries data acrossinternationalborders, police often seek digital evidence stored in another country. To obtain such cross-border data, police generally must gain approval from the government whose territory hosts the data, under an international web of Mutual Legal Assistance Treaties (MLATs).
...

One country’s government shouldn’t determine what Internet users across the globe can see online. But a French regulator is saying that, under Europe’s “Right to be Forgotten,” Google should have to delist search results globally, keeping them from users across the world. That’s a step too far, and would conflict...